# Gavin Andresen
# 2011-01-11 17:54:31
# https://bitcointalk.org/index.php?topic=2672.msg37268#msg37268

@s{quotedtext}
@s{quotedtext}
 @p{brk}
CORS support doesn't change this. @p{par}

IF the browser has a bug that lets JavaScript code read the local filesystem, THEN JavaScript code can get your rpc username/password from your bitcoin.conf file. @p{par}

And IF the JavaScript code can do that, then it can send rpc commands to bitcoind running on localhost (because, surprisingly, the same-origin policy does NOT apply to localhost: urls@p{--} we learned that lesson here six months or so ago). @p{par}

That is all true right now, with the released bitcoin/bitcoind. @p{par}